Security and Reliability of Data in the Cloud

Over the past few days, I got a chance to speak to two different companies in the business analytics space about data in the cloud. One was a SaaS provider, the other an enterprise software vendor. Two vendors, two different stories that illustrate the jury is still very much out regarding how end users feel about putting their sensitive data in the cloud.

The SaaS provider runs its operation in the Amazon EC2 cloud (and no, I do not believe that the company was using Amazon’s new Virtual Private Cloud services). Interestingly, the company said that even organizations in the public sector were starting to get comfortable with the level of security and reliability of the cloud. In fact, the company said that the security and reliability of a cloud data center was, more often than not, better than the security and reliability of the infrastructure on a customer’s premises. This is an argument I have heard before.

The enterprise software vendor also provides a cloud-like option to its customers. This company told me that 80% of its customers did not want to keep their data in a cloud environment because of security concerns. These customers are analyzing some pretty sensitive data about customers, revenue, and the like.

Considerations

When you think about data in the cloud, it is important to think about it from at least 2 perspectives: Yours and the cloud provider. Let’s say you are a mid sized company running a business analytics application in the cloud. From your perspective, the amount of data that you are storing and processing in this service may not that great. However, your SaaS provider might have five thousand customers. In fact, it may be running its application across many servers. It may house your data and the 4999 other companies it calls its clients on multiple database servers. Once your company’s data is in the SaaS provider’s database, it may exist there with data from other companies. The concern, of course, is that your data is in a shared environment that you don’t control. The SaaS provider will tell you that since this is their business, they have a higher level of skill around issues such as security and reliability than might exist in your own company. And this may be true, depending on your company. Each organization needs to evaluate its own needs and issues and make a decision for itself.

Here are some issues to consider about security and reliability:

Data Security

o Different kinds of data require different levels of security. There are huge numbers of issues associated with security –including transporting the data securely to the cloud, as well as data access and data leakage . (those interested should check out a very interesting paper that looks at potential threats from “non-provider affiliated malicious parties” by Ristenpar, Tromer, Shacham, and Savage.)

o Along with this are controls over your data that need to be addressed. These include controls to ensure data integrity such as completeness, accuracy, and reasonableness? There are processing controls to ensure that data remains accurate. And, there also need to be output controls in place. And of course, there needs to be controls over the actual transport of data from your company to the cloud.

o There are also data compliance issues to think about. These might include retention as well as issues such as cross country data transfer.

o Data ownership – Who owns your data once it goes into the cloud? Some service providers might want to take your data, merge it with other data and do some analysis.

Reliability/Availability

o Availability: A provider might state that its servers are available 99.999% of the time, but read the contract. Does this uptime include scheduled maintenance?

o Business continuity plans. If you cloud provider’s data center goes down, what plans are in place to get your data back up and available again. For example, a SaaS vendor might tell you that they back up data every day, but it might take several days to get the back up onto systems in another facility.

o Loss of data. What provisions are in your contract if something happens and your providers loses your data?

o Contract termination- How will data be returned if the contract is terminated?

o Vendor Lock-in – If you create applications with one cloud vendor and then decide to move to another vendor, you need to find out how difficult it will be to move your data from one to the next.